[pgpool-general: 7430] Re: Pgpool works on FIPS mode of VA - very important

Tue Mar 9 11:11:13 JST 2021

> Hi Pgpool team,
> 
> We have made our hosts FIPS compliant and using pgpool for clustering. How
> to make pgpool libraries as well, FIPS compliant?

I am not familiar with FIPS. Correct me if I am wrong.

Pgpool-II uses encryption modules in several places:

ssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL'
                                   # Allowed SSL ciphers
                                   # (change requires restart)
ssl_prefer_server_ciphers = off
                                   # Use server's SSL cipher preferences,
                                   # rather than the client's
                                   # (change requires restart)
ssl_ecdh_curve = 'prime256v1'
                                   # Name of the curve to use in ECDH key exchange
ssl_dh_params_file = ''

You can choose appropreate values for these parameters to satisfy
FIPS.

Other parameters using encryption are named "*.password". For example:

sr_check_password = ''

You can choose strong encryption module (AES-256-CBC) for these. See
manual for more details.

One thing I am worried is pcp password. It's encrypted in md5, which
is not too strong encryption method. This may or may not satify FIPS.

Best regards,
--
Tatsuo Ishii
SRA OSS, Inc. Japan
English: http://www.sraoss.co.jp/index_en.php
Japanese:http://www.sraoss.co.jp